<!DOCTYPE html>
<html lang="en">
  <head>
    <title>
  📦 Volatility3 Linux Plugin : Inodes · ForensicXlab
</title>
    <meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="color-scheme" content="light dark">


<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests; block-all-mixed-content; default-src 'self'; child-src 'self'; font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net/; form-action 'self'; frame-src 'self'; img-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/ https://cdn.jsdelivr.net/; script-src 'self' 'unsafe-inline' https://www.google-analytics.com https://cdn.jsdelivr.net/; prefetch-src 'self'; connect-src 'self' https://www.google-analytics.com;">




<meta name="author" content="ForensicXlab">
<meta name="description" content="Abstract Link to heading The filesystem is one of the most basic and important concepts in UNIX/Linux. This concept is working around the idea that “everything is a file”, meaning that the hardware, regular files, directories, sockets, kernel data structures, process communications etc are represented as files with their own types. On a filesystem, a file (whatever its type) is assigned with a number called an &ldquo;inode&rdquo;. An inode is an interface between the blocks on the filesystem and the file.">
<meta name="keywords" content="blog, DFIR">

<meta name="twitter:card" content="summary"/>
<meta name="twitter:title" content="📦 Volatility3 Linux Plugin : Inodes"/>
<meta name="twitter:description" content="Abstract Link to heading The filesystem is one of the most basic and important concepts in UNIX/Linux. This concept is working around the idea that “everything is a file”, meaning that the hardware, regular files, directories, sockets, kernel data structures, process communications etc are represented as files with their own types. On a filesystem, a file (whatever its type) is assigned with a number called an &ldquo;inode&rdquo;. An inode is an interface between the blocks on the filesystem and the file."/>

<meta property="og:title" content="📦 Volatility3 Linux Plugin : Inodes" />
<meta property="og:description" content="Abstract Link to heading The filesystem is one of the most basic and important concepts in UNIX/Linux. This concept is working around the idea that “everything is a file”, meaning that the hardware, regular files, directories, sockets, kernel data structures, process communications etc are represented as files with their own types. On a filesystem, a file (whatever its type) is assigned with a number called an &ldquo;inode&rdquo;. An inode is an interface between the blocks on the filesystem and the file." />
<meta property="og:type" content="article" />
<meta property="og:url" content="http://www.forensicxlab.com/posts/inodes/" /><meta property="article:section" content="posts" />
<meta property="article:published_time" content="2022-09-14T21:11:58+02:00" />
<meta property="article:modified_time" content="2022-09-14T21:11:58+02:00" />





<link rel="canonical" href="http://www.forensicxlab.com/posts/inodes/">


<link rel="preload" href="/fonts/forkawesome-webfont.woff2?v=1.2.0" as="font" type="font/woff2" crossorigin>


  
  
  <link rel="stylesheet" href="/css/coder.min.4897cb1d7ba929d10aabbac6e9bf40a8ecb89318118d99027cb159e38fb32b28.css" integrity="sha256-SJfLHXupKdEKq7rG6b9AqOy4kxgRjZkCfLFZ44&#43;zKyg=" crossorigin="anonymous" media="screen" />








 




<link rel="icon" type="image/png" href="/images/favicon-32x32.png" sizes="32x32">
<link rel="icon" type="image/png" href="/images/favicon-16x16.png" sizes="16x16">

<link rel="apple-touch-icon" href="/images/apple-touch-icon.png">
<link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon.png">

<link rel="manifest" href="/site.webmanifest">
<link rel="mask-icon" href="/images/safari-pinned-tab.svg" color="#5bbad5">




<meta name="generator" content="Hugo 0.101.0" />





  </head>




<body class="preload-transitions colorscheme-light">
  
<div class="float-container">
    <a id="dark-mode-toggle" class="colorscheme-toggle">
        <i class="fa fa-adjust fa-fw" aria-hidden="true"></i>
    </a>
</div>


  <main class="wrapper">
    <nav class="navigation">
  <section class="container">
    <a class="navigation-title" href="/">
      ForensicXlab
    </a>
    
      <input type="checkbox" id="menu-toggle" />
      <label class="menu-button float-right" for="menu-toggle">
        <i class="fa fa-bars fa-fw" aria-hidden="true"></i>
      </label>
      <ul class="navigation-list">
        
          
            <li class="navigation-item">
              <a class="navigation-link" href="/posts/">Blog</a>
            </li>
          
            <li class="navigation-item">
              <a class="navigation-link" href="/toolshed/">ToolShed</a>
            </li>
          
            <li class="navigation-item">
              <a class="navigation-link" href="/about/">About</a>
            </li>
          
            <li class="navigation-item">
              <a class="navigation-link" href="/contact/">Contact</a>
            </li>
          
        
        
      </ul>
    
  </section>
</nav>


    <div class="content">
      
  <section class="container post">
    <article>
      <header>
        <div class="post-title">
          <h1 class="title">
            <a class="title-link" href="http://www.forensicxlab.com/posts/inodes/">
              📦 Volatility3 Linux Plugin : Inodes
            </a>
          </h1>
        </div>
        <div class="post-meta">
          <div class="date">
            <span class="posted-on">
              <i class="fa fa-calendar" aria-hidden="true"></i>
              <time datetime="2022-09-14T21:11:58&#43;02:00">
                September 14, 2022
              </time>
            </span>
            <span class="reading-time">
              <i class="fa fa-clock-o" aria-hidden="true"></i>
              6-minute read
            </span>
          </div>
          
          <div class="categories">
  <i class="fa fa-folder" aria-hidden="true"></i>
    <a href="/categories/memory-forensics/">Memory Forensics</a></div>

          <div class="tags">
  <i class="fa fa-tag" aria-hidden="true"></i>
    <span class="tag">
      <a href="/tags/dfir/">DFIR</a>
    </span>
      <span class="separator">•</span>
    <span class="tag">
      <a href="/tags/memory-forensics/">Memory Forensics</a>
    </span>
      <span class="separator">•</span>
    <span class="tag">
      <a href="/tags/vfs/">VFS</a>
    </span>
      <span class="separator">•</span>
    <span class="tag">
      <a href="/tags/inodes/">Inodes</a>
    </span>
      <span class="separator">•</span>
    <span class="tag">
      <a href="/tags/linux/">Linux</a>
    </span></div>

        </div>
      </header>

      <div>
        
        <h1 id="abstract">
  Abstract
  <a class="heading-link" href="#abstract">
    <i class="fa fa-link" aria-hidden="true" title="Link to heading"></i>
    <span class="sr-only">Link to heading</span>
  </a>
</h1>
<p>The filesystem is one of the most basic and important concepts in UNIX/Linux. This concept is working around the idea that “everything is a file”, meaning that the hardware, regular files, directories, sockets, kernel data structures, process communications etc are represented as files with their own types. On a filesystem, a file (whatever its type) is assigned with a number called an &ldquo;<strong>inode</strong>&rdquo;. An inode is an interface between the blocks on the filesystem and the file.</p>
<p>When a process is running, it is interacting with the hardware, the kernel, the user’s resources etc, therefore opening the required files. Linux is keeping track of the opened files inodes in memory by using the <strong>Virtual File System</strong> (VFS) and more precisely the <strong>directory entry cache</strong> (dentry). In this article, I will present how you can extract inode metadata from a modern Linux memory image using the volatility3 framework.</p>
<h1 id="linux-memory-analysis">
  Linux memory analysis
  <a class="heading-link" href="#linux-memory-analysis">
    <i class="fa fa-link" aria-hidden="true" title="Link to heading"></i>
    <span class="sr-only">Link to heading</span>
  </a>
</h1>
<p>When performing memory forensics on a Linux memory image, the fact that a lot of distribution exist is making the memory analysis with volatility3 trickier. Volatility3 is basically trying to identify known structures in memory to create python objects that can be exploited. The framework needs <strong>symbol tables</strong> to be able to know where to find these structures and how they are defined. For example, to identify the structures inside a x64 Intel based Linux Debian machine memory dump, you&rsquo;ll need:</p>
<ul>
<li>To find the kernel debugging symbols generated at compilation time matching the kernel version.</li>
<li>Convert the debugging symbols into symbol tables understandable by volatility3.</li>
<li>Work with the framework to identify and extract structures from memory and get your artifacts.</li>
</ul>
<p>You can learn more about theses steps here : <a href="https://volatility3.readthedocs.io/en/latest/symbol-tables.html">https://volatility3.readthedocs.io/en/latest/symbol-tables.html</a></p>
<p>This process is easier for Windows and Mac because there is &ldquo;one distribution&rdquo; per OS. However, the fact that a lot of distributions for Linux exists makes this task more difficult.</p>
<p><img src="/images/inodes/KDS.png" alt="alt text" title="Kernel Debugging Symbols"></p>
<h1 id="inode-forensics-value-in-memory">
  Inode forensics value in memory
  <a class="heading-link" href="#inode-forensics-value-in-memory">
    <i class="fa fa-link" aria-hidden="true" title="Link to heading"></i>
    <span class="sr-only">Link to heading</span>
  </a>
</h1>
<p>If you have ever performed digital forensic on a post-mortem Linux investigation, you may know that the inode structure on disk varies depending on the type of filesystem used. For example, Debian is by default using <strong>ext4</strong> filesystem whereas Fedora is using <strong>XFS</strong> and CentOS is using <strong>btrfs</strong>.</p>
<p>However, the fact that we are performing our analysis in memory, we are talking about extracting inode objects contained in the <strong>directory entry cache</strong> (dentry) from the <strong>Virtual File System</strong> (VFS). The VFS is an abstraction of the filesystem within the kernel which allows coexistence between the different type encountered. The fact that dentries are living in RAM and are never saved to the disk is giving us new useful forensics artifacts that may not be found on a classic “dead system”.</p>
<p>When a process is opening files, it is storing a list of file descriptors. Each file descriptor (fd) is a pointer to a structure containing the dentry cache. We can extract the file inode from this structure and get access to its metadata which are very useful forensics artifacts. We can retrieve the following:</p>
<ul>
<li>File size in bytes (i_size)</li>
<li>File permissions (i_mode)</li>
<li>Last modification time (mtime)</li>
<li>Last changed time (ctime)</li>
<li>Last access time (atime)
<img src="/images/inodes/dentry.png" alt="alt text" title="How to get the dentry"></li>
</ul>
<h1 id="the-volatility3-inode-plugin">
  The Volatility3 inode plugin
  <a class="heading-link" href="#the-volatility3-inode-plugin">
    <i class="fa fa-link" aria-hidden="true" title="Link to heading"></i>
    <span class="sr-only">Link to heading</span>
  </a>
</h1>
<p>To be able to extract inode metadata from memory we can identify those major steps:</p>
<ul>
<li>Go through each process using the <strong>pslist</strong> plugin.</li>
<li>For each process, extract the list of file descriptors using code from the <strong>lsof</strong> plugin.</li>
<li>For each file descriptor, extract the cached dentries, parse the inode metadata and return the result.</li>
</ul>
<p>As a result, the plugin is extracting all of the inode metadata needed to help us during our investigation (we like timestamps !).</p>
<div class="highlight"><pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>~/work/DFIR/Memory Analysis/MemoryImages/debian 5.10.0-18-amd64 » vol -f Debian\ XFS.vmem -s symbols linux.inodes
</span></span><span style="display:flex;"><span>Volatility 3 Framework 2.0.1
</span></span><span style="display:flex;"><span>Progress:  100.00		Stacking attempts finished
</span></span><span style="display:flex;"><span>PID	Process	Inode	Mode	File	LastChange	LastModify	LastAccessed	Size
</span></span><span style="display:flex;"><span>...
</span></span><span style="display:flex;"><span>2555	firefox-esr	52709413	-rw-r--r--	/home/volatility/.mozilla/firefox/k2jz4psu.default-esr/places.sqlite-wal	2022-09-11 22:05:11.000000 	2022-09-11 22:05:11.000000 	2022-09-11 22:05:12.000000 	2164304
</span></span><span style="display:flex;"><span>2555	firefox-esr	34057200	-rw-r--r--	/home/volatility/.mozilla/firefox/k2jz4psu.default-esr/storage/permanent/chrome/idb/1451318868ntouromlalnodry--epcr.sqlite-wal	2022-09-11 22:05:04.000000 	2022-09-11 22:05:04.000000 	2022-09-11 22:05:04.000000 	0
</span></span><span style="display:flex;"><span>2555	firefox-esr	52709410	-rw-r--r--	/home/volatility/.mozilla/firefox/k2jz4psu.default-esr/places.sqlite	2022-09-11 22:05:04.000000 	2022-09-11 22:05:04.000000 	2022-09-11 22:05:04.000000 	5242880
</span></span><span style="display:flex;"><span>2555	firefox-esr	52709413	-rw-r--r--	/home/volatility/.mozilla/firefox/k2jz4psu.default-esr/places.sqlite-wal	2022-09-11 22:05:11.000000 	2022-09-11 22:05:11.000000 	2022-09-11 22:05:12.000000 	2164304
</span></span><span style="display:flex;"><span>2555	firefox-esr	52709411	-rw-r--r--	/home/volatility/.mozilla/firefox/k2jz4psu.default-esr/favicons.sqlite	2022-09-11 22:05:01.000000 	2022-09-11 22:05:01.000000 	2022-09-11 22:05:01.000000 	5242880
</span></span><span style="display:flex;"><span>2555	firefox-esr	52709412	-rw-r--r--	/home/volatility/.mozilla/firefox/k2jz4psu.default-esr/favicons.sqlite-wal	2022-09-11 22:05:11.000000 	2022-09-11 22:05:11.000000 	2022-09-11 22:05:01.000000 	1147752
</span></span><span style="display:flex;"><span>2555	firefox-esr	52709414	-rw-r--r--	/home/volatility/.mozilla/firefox/k2jz4psu.default-esr/content-prefs.sqlite	2022-09-11 22:05:02.000000 	2022-09-11 22:05:02.000000 	2022-09-11 22:05:03.000000 	229376
</span></span><span style="display:flex;"><span>2555	firefox-esr	35077	srwxrwxrwx	socket:[35077]	1970-01-01 01:00:00.000000 	1970-01-01 01:00:00.000000 	1970-01-01 01:00:00.000000 	0
</span></span><span style="display:flex;"><span>2555	firefox-esr	32451	srwxrwxrwx	socket:[32451]	1970-01-01 01:00:00.000000 	1970-01-01 01:00:00.000000 	1970-01-01 01:00:00.000000 	0
</span></span><span style="display:flex;"><span>2555	firefox-esr	32393	srwxrwxrwx	socket:[32393]	1970-01-01 01:00:00.000000 	1970-01-01 01:00:00.000000 	1970-01-01 01:00:00.000000 	0
</span></span><span style="display:flex;"><span>2555	firefox-esr	32457	srwxrwxrwx	socket:[32457]	1970-01-01 01:00:00.000000 	1970-01-01 01:00:00.000000 	1970-01-01 01:00:00.000000 	0
</span></span><span style="display:flex;"><span>2555	firefox-esr	32455	srwxrwxrwx	socket:[32455]	1970-01-01 01:00:00.000000 	1970-01-01 01:00:00.000000 	1970-01-01 01:00:00.000000 	0
</span></span><span style="display:flex;"><span>2555	firefox-esr	32470	srwxrwxrwx	socket:[32470]	1970-01-01 01:00:00.000000 	1970-01-01 01:00:00.000000 	1970-01-01 01:00:00.000000 	0
</span></span><span style="display:flex;"><span>2555	firefox-esr	31746	srwxrwxrwx	socket:[31746]	1970-01-01 01:00:00.000000 	1970-01-01 01:00:00.000000 	1970-01-01 01:00:00.000000 	0
</span></span><span style="display:flex;"><span>2555	firefox-esr	31748	prw-------	pipe:[31748]	2022-09-11 22:05:02.000000 	2022-09-11 22:05:02.000000 	2022-09-11 22:05:02.000000 	0
</span></span><span style="display:flex;"><span>2555	firefox-esr	34057193	-rw-r--r--	/home/volatility/.mozilla/firefox/k2jz4psu.default-esr/storage/permanent/chrome/idb/3870112724rsegmnoittet-es.sqlite	2022-09-11 22:05:07.000000 	2022-09-11 22:05:07.000000 	2022-09-11 22:05:11.000000 	507904
</span></span><span style="display:flex;"><span>2555	firefox-esr	34057204	-rw-r--r--	/home/volatility/.mozilla/firefox/k2jz4psu.default-esr/storage/permanent/chrome/idb/3870112724rsegmnoittet-es.sqlite-wal	2022-09-11 22:05:07.000000 	2022-09-11 22:05:07.000000 	2022-09-11 22:05:07.000000 	0
</span></span><span style="display:flex;"><span>...
</span></span></code></pre></div><p>The fact that we have extracted timestamps makes it possible to build the timeline of the events via the integration to the <strong>Timeliner</strong> plugin.</p>
<div class="highlight"><pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>~/work/DFIR/Memory Analysis/MemoryImages/debian 5.10.0-18-amd64 » vol -f Debian\ XFS.vmem -s symbols timeline | more                                                                                              130 ↵ k1nd0ne@MacBook-Pro-de-Felix
</span></span><span style="display:flex;"><span>Volatility 3 Framework 2.0.1    Running plugin Bash...
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>Plugin  Description     Created Date    Modified Date   Accessed Date   Changed Date
</span></span><span style="display:flex;"><span>Bash    2490 (bash): &#34;echo &#34;hello bash history&#34;&#34;        2022-09-11 20:04:52.000000      N/A     N/A     N/A
</span></span><span style="display:flex;"><span>...
</span></span><span style="display:flex;"><span>Inodes  Process firefox-esr (2555) Open &#34;/usr/lib/firefox-esr/browser/extensions/langpack-fr@firefox-esr.mozilla.org.xpi&#34;       N/A     2022-08-23 23:09:13.000000      2022-09-11 22:04:59.000000      2022-09-11 21:51:29.000000
</span></span><span style="display:flex;"><span>Inodes  Process firefox-esr (2555) Open &#34;/usr/lib/firefox-esr/browser/features/doh-rollout@mozilla.org.xpi&#34;     N/A     2022-08-23 23:09:13.000000      2022-09-11 22:04:59.000000      2022-09-11 21:51:29.000000
</span></span><span style="display:flex;"><span>Inodes  Process firefox-esr (2555) Open &#34;/usr/lib/firefox-esr/browser/features/formautofill@mozilla.org.xpi&#34;    N/A     2022-08-23 23:09:13.000000      2022-09-11 22:04:59.000000      2022-09-11 21:51:29.000000
</span></span><span style="display:flex;"><span>Inodes  Process firefox-esr (2555) Open &#34;/usr/lib/firefox-esr/browser/features/pictureinpicture@mozilla.org.xpi&#34;        N/A     2022-08-23 23:09:13.000000      2022-09-11 22:04:59.000000      2022-09-11 21:51:29.000000
</span></span><span style="display:flex;"><span>Inodes  Process firefox-esr (2555) Open &#34;/usr/lib/firefox-esr/browser/features/proxy-failover@mozilla.com.xpi&#34;  N/A     2022-08-23 23:09:13.000000      2022-09-11 22:04:59.000000      2022-09-11 21:51:29.000000
</span></span><span style="display:flex;"><span>Inodes  Process firefox-esr (2555) Open &#34;/usr/lib/firefox-esr/browser/features/screenshots@mozilla.org.xpi&#34;     N/A     2022-08-23 23:09:13.000000      2022-09-11 22:04:59.000000      2022-09-11 21:51:29.000000
</span></span><span style="display:flex;"><span>Inodes  Process firefox-esr (2555) Open &#34;/usr/lib/firefox-esr/browser/features/webcompat@mozilla.org.xpi&#34;       N/A     2022-08-23 23:09:13.000000      2022-09-11 22:04:59.000000      2022-09-11 21:51:29.000000
</span></span><span style="display:flex;"><span>Inodes  Process Privileged Cont (2626) Open &#34;/usr/lib/firefox-esr/browser/extensions/langpack-fr@firefox-esr.mozilla.org.xpi&#34;   N/A     2022-08-23 23:09:13.000000      2022-09-11 22:04:59.000000      2022-09-11 21:51:29.000000
</span></span></code></pre></div><h1 id="conclusion">
  Conclusion
  <a class="heading-link" href="#conclusion">
    <i class="fa fa-link" aria-hidden="true" title="Link to heading"></i>
    <span class="sr-only">Link to heading</span>
  </a>
</h1>
<p>To conclude, this plugin is a good way to an in depth understanding of how a Linux kernel is storing files in memory and what are the information you can extract from a Linux memory acquisitions.  This plugin was tested on a Debian with kernel version <strong>5.10.0.18-amd64</strong>. The plugin is available on the forensicxlab github repository: <a href="https://github.com/forensicxlab/volatility3_plugins">https://github.com/forensicxlab/volatility3_plugins</a>.</p>
<p>You should identify each steps described before in the source code comments. Do not hesitate to reach me at <a href="mailto:felix.guyard@forensicxlab.com">felix.guyard@forensicxlab.com</a> to make this article better, or to make a pull-request on the repository to enhance this plugin. Happy Hunting!</p>
<h1 id="references">
  References
  <a class="heading-link" href="#references">
    <i class="fa fa-link" aria-hidden="true" title="Link to heading"></i>
    <span class="sr-only">Link to heading</span>
  </a>
</h1>
<p><a href="https://www.kernel.org/doc/html/latest/filesystems/vfs.html">https://www.kernel.org/doc/html/latest/filesystems/vfs.html</a></p>
<p><a href="http://books.gigatux.nl/mirror/kerneldevelopment/0672327201/ch12lev1sec7.html">http://books.gigatux.nl/mirror/kerneldevelopment/0672327201/ch12lev1sec7.html</a></p>
<p><a href="http://books.gigatux.nl/mirror/kerneldevelopment/0672327201/ch12lev1sec6.html">http://books.gigatux.nl/mirror/kerneldevelopment/0672327201/ch12lev1sec6.html</a></p>
<p><a href="https://github.com/torvalds/linux">https://github.com/torvalds/linux</a></p>
<p><a href="https://volatility3.readthedocs.io/en/latest/index.html">https://volatility3.readthedocs.io/en/latest/index.html</a></p>

      </div>


      <footer>
        


        
        
        
      </footer>
    </article>

    
  </section>

    </div>

    <footer class="footer">
  <section class="container">
    ©
    
      2021 -
    
    2022
     ForensicXlab 
    ·
    
    Powered by <a href="https://gohugo.io/">Hugo</a> & <a href="https://github.com/luizdepra/hugo-coder/">Coder</a>.
    
  </section>
</footer>

  </main>

  

  
  
  <script src="/js/coder.min.236049395dc3682fb2719640872958e12f1f24067bb09c327b233e6290c7edac.js" integrity="sha256-I2BJOV3DaC&#43;ycZZAhylY4S8fJAZ7sJwyeyM&#43;YpDH7aw="></script>
  

  

  

  

  

  

  

  

  

  
</body>

</html>
